• Advisory ID: DRUPAL-SA-CONTRIB-2017-013
• Project: Acquia Content Hub (third-party module)
• Version: 8.x
• Date: 2017-February-08
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All
• Vulnerability: Access bypass

Description

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service.

The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information they may not be authorized to view.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Acquia Content Hub 8.x-1.x versions prior to 8.x-1.4.

Drupal core is not affected. If you do not use the contributed Acquia Content Hub module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Acquia Content Hub module for Drupal 8.x, upgrade to Acquia Content Hub 8.x-1.4

Also see the Acquia Content Hub project page.

Reported by

• Samuel Mortenson

Fixed by

• Alejandro Barrios the module maintainer
• Cash William of the Drupal Security Team
• Samuel Mortenson
• Kyle Browning
• Wim Leers

Coordinated by

• Stéphane Corlosquet of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity